Orion Poplawski wrote:
On 02/19/2013 03:10 PM, Simo Sorce wrote:
On Tue, 2013-02-19 at 14:38 -0700, Orion Poplawski wrote:
This is a followup to some previous discussions.  I have been
lobbying to keep
(and fix) the ability to install your own certificates when
configuring IPA in
order to make use of wildcard SSL certificates.  But it seems this
will not be
the case.  My last post on this went unanswered and I see tickets for
removal going forward.

As I understand it though, I'll still be able to generate a CSR for
the server
and get it signed by and external CA?  If this is the case, I guess
this extra
expense of individual SSL certificates for the various IPA servers
could be
acceptable, although unfortunate as this is what we had hoped to
avoid with
the wildcard cert.

Finally, there was mention of the possibility of getting the IPA CA
signed by
an external authority.  Just to let everyone know, this is a very
proposition.  I was quoted a $22,500 start fee plus licensing costs.
This is
*way* out of our (and I suspect many other small businesses) price

Why would you need to get your CA signed by a public authority ?

When we say external we generally think of another "Internal CA" that
you already use for your own services.



The problems with this are:

- Only a very small handful of people actually use this (or used it).
- We don't test this (obviously) and there are a lot of bugs and corner cases - Even if we do fix it, we likely still won't test it very often, leading to more woes
- This will blow up at cert renewal time
- There is still an underlying CA hidden in there, doing nothing (but perhaps cause problems) - If you want to support FF < 15 you need an object signing cert too to sign the auto-configure jar

A far better solution than replacing the certificates post-install is to have an option to have a CA-less IPA installation. I doubt we'd actively work on adding such an option. But it would likely be a lot more robust than changing things after-the-fact.


Freeipa-users mailing list

Reply via email to